This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 90%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAI%3C/text%3E%3C/svg%3E)
Hello,
I have taken over an existing Active Directory domain at my company.
I am doing a tidy and consolidation of group policy objects, and one of the ones I want to sort is the default domain policy.
The policy has had Internet Explorer Maintenance settings applied, but because our domain controllers are all 2016 and above, and all our clients are Windows 10, I have nothing that is able to see those settings for me to clear out of the policy.
I toyed with the idea of manually recreating the policy, however one of the default settings in the domain policy looks to be a encrypting file system certificate, which I don't know how to manually recreate in a new policy.
I assume my options are;
Not sure what the best course of action here is?
Many thanks
James
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 79%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Hello,
Finally I have tested this solution and it seems to work. I created a new 2008R2 server without any patches to have the oldest version of IE and from this server I edited a GPO and I got the Internet Explorer Maintenance even if I have the central store :
Regards,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 79%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJE%3C/text%3E%3C/svg%3E)
Thank you.
I will see if I can find some 2008 R2 install media and give this a go!
Many thanks.
James
This has worked perfectly!
I have now been able to reset all IE customisations in the policy, which has removed it from the GPO.
Bit of a faff, but we got there!
Many thanks
James
Hi James,
Just for my reference, did you check if NetTools was able to show the IE settings, or do I need to do a code update to display these settings.
Gary.
I must apologise as I don't recall with 100% certainty.
If memory serves, it did indeed show those IE Maintenance Sections, as I think I went to edit them from NetTools, which then just launched the vanilla GP editor.
Sorry for not being able to say for certain.
Many thanks!
James
Thanks James,
When you click the edit option in NetTools it will first try to launch the GPMC version of gpoedit and will fail back to the native gpoedit, if it's not installed.
Gary.
Hi,
Have look at this option, https://nettools.net/gpo-explorer/, I haven't used it to look at the ie maintenance settings before, but as it shows the raw data in the policies it might be able to show you what is in policy.
Gary.
Thanks, but sadly the edit functionality is still provided by gpedit, which no longer includes Internet Explorer Maintenance, so I cannot remove those parts of the GPO.
Cheers
James
But you don't need to edit the policy you only need to see the settings, as you suggested, once you have the details I would recreate them in new policies and reset the default domain policy. The encryption certificate can be exported from a workstation certificate store and then re-added to a new policy.
Gary.
Do you suggest using the DCGPOFIX utility to reset the policies once I have migrated settings to new policies?
Do you know what container the EFS certificate would sit in?
Cheers
James
Hello,
One option like you describe can be to use a Windows 7 or Windows Server 2012 to edit your GPO but it will not work if you have the central store in place
Cheers,
Damn, we have a central store.
Any other options you are aware of we can use to clear these elements from this GPO?
Cheers
James
Hello,
Below you will find an update which will help you override the default behavior of the central for Windows 7 or Windows Server 2012, like that you will be able to edit your GPO setting :
https://support.microsoft.com/en-us/topic/an-update-is-available-to-enable-the-use-of-local-admx-files-for-group-policy-editor-24ea6900-fa03-d53f-c666-199e5ac02be9
Regards,
From where do I get the hotfix it mentions, for server 2012?
The button does not display to download it.
Thanks.
James
If you have an up-to-date Windows 2012 R2 it should work, you will have to create the Group Policy key and create the EnableLocalStoreOverride REG_DWORD and set it to 1
Thanks, but I didn't think 2012 R2 had IE maintenance GPO extensions, meaning I wouldn't be able to use it as a client to remove these settings from my GPO.
Am I mistaken, and can I use 2012 R2 to manage IE Maintenance policies?
Thanks
James
No you are not mistaken, I'm currently trying to find a 2008R2 without IE 11 to ensure that it will work
Hi there,
Here is a step to reset default domain policy.
Here is a link as well to help you out https://social.technet.microsoft.com/Forums/windowsserver/en-US/e8a7c194-d3bf-4e1c-857c-7f779cc86705/how-to-reset-default-domain-policy?forum=winserverDS
--If the reply is helpful, please Upvote and Accept it as an answer--
Thanks.
I have seen this suggested as a "Method of last resort".
Will this also deal with the efs certificate, or will I still have to handle that manually?
Many thanks
James
